Search results

Are CRM certificates considered external documents?

Yes, CRM certificates are external records. Any information that is required by the laboratory, but not created by the laboratory, is an external document.
Note that they require correct control as the requirements of clause 6.4, Equipment, apply to CRM certificates too. This means that the reference data needs to be verified as fit for use, providing sufficient information to maintain confidence in reference material. The storage and handling of the Reference data, including results, acceptance criteria, relevant dates, and the period of validity must also be controlled.

Implementation, Compliance software, Training

No, you do not need to have ISO 13485 certification since you are not the producer of the kit. Only the producer needs to be ISO 13485 certified. 

Corrective action logs

The corrective action log in general contains a unique identification (e.g., number or code), the description of the non-conformity, identification of similarly identified nonconformities, actions to be implemented, and identification of approver and implementer.

If you need evidence of the actions that follow, at least the following information needs to be recorded:

• the nature of the nonconformities and actions taken
• the results of corrective actions performed

For example, if the nature of the nonconformity is about lack of competence, the proposed action could be training, and the results to be recorded would be certifications, attendance lists, or interviews with employees about the training topic.

This article will provide you with a further explanation about corrective actions:

• Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/

• Toolkits ISO 27001 & ISO 22301

  1) Where is the documentation concerning A.18 (Compliance)?

  Answer: First of all, sorry for this confusion.

  Documents that cover controls from section A.18 can be found here:
  - documents in the toolkit in folder "02 Procedure for identification of requirements” ("Procedure for Identification of Requirements" and "Appendix – List of Legal, Regulatory, Contractual and Other Requirements")
  - control A.18.1.2 is included in the document IT Security Policy (you'll find it in the toolkit in folder 08 Annex A security controls - A.8 Asset management) in the section "3.15. Copyright".

  In the root folder of the Documentation Toolkit, you'll find a document called “List of Documents” that explains which control/clause is covered by which document, and which documents are mandatory.

  2) What about the Annexes A.1 until A.5?

  Answer: The documents from section A.5 are not missing from the toolkit – you can find them here:
  - A.5 – all the documents from folder “08 Annex A” cover the requirements for information security policies (A.5.1.1 and A.5.1.2)

  It is important to note that every control does not need to be documented and to avoid unnecessary administrative work the toolkit includes only all the mandatory + all most common documents.

  ISO 27001 does not contain annexes A.1 to A.4. 

  3 - In addition I would like to ask if you deliver training materials about the ordered documentation? I already entered ISO 22301 & ISO 27001.

  Answer: Please note that included in your toolkit you have access to video tutorials that can guide you on how filling in the most critical documents of the toolkit (e.g., ISMS scope, Information Security Policy, Risk Assessment Table, Risk Treatment table, etc.). In the email you received when you bought the toolkit you will find information on how to access the video tutorials. 

  Included in each template there are also comments to guide you on how to fill in the documents.

• Como podemos adequar nossos processos para implementar a ISO 27001?

  A adequação dos processos irá depender dos controles de segurança identificados pela empresa como necessários, a partir dos resultados da avaliação de riscos e da identificação dos requisitos legais aplicáveis (e.g., leis, regulamentações ou contratos).

  Por exemplo, se os resultados da avaliação de risco indicam a necessidade de cópias de segurança, os processos da organização deverão ser ajustados para considerar o tempo necessário para a realização das cópias de segurança, bem como deverão ser pensados os locais onde armazenar estas cópias.

  Outro exemplo envolveria a necessidade de manipular a informação de acordo com a sua classificação. Determinados processos deverão ser adequados para que nenhuma informação seja deixa aparente caso o usuário não esteja em sua área de trabalho.

  Para mais informações, veja:

  • A lógica básica da ISO 27001: Como a segurança da informação funciona? https://advisera.com/27001academy/pt-br/knowledgebase/a-logica-basica-da-iso-27001-como-a-seguranca-da-informacao-funciona/

• Adapting processes to implement ISO 27001

  The adequacy of the processes will depend on the security controls identified by the company as necessary, based on the risk assessment results and the identification of applicable legal requirements (e.g., laws, regulations, or contracts).

  For example, if the results of the risk assessment indicate the need for backup copies, the organization's processes must be adjusted to consider the time required to carry out the backup copies, as well as the places where to store these copies.

  Another example would involve the need to manipulate information according to its classification. Certain processes must be suitable so that no information is left apparent if the user is not in their work area.

  For further information, see:

  • The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

• Quality Culture and Product Risk Assessment

  Some ideas about promoting a quality culture:

  • Focus on your target customers (different customer groups want and value different things and your company cannot serve all at the same time)
  • Promote an outside-in approach (it’s not your outputs, it’s your customers needs)
  • Measure customer satisfaction
  • Promote continual improvement
  • Train people
  • Support all previous actions with a set of company values acting as a framework

  About product risk assessment:

  • Answer this question – what can go wrong with your product?
  • At the end of life
  • While be used by users
  • While being delivered
  • While being manufactured

  Determine risks, and evaluate potential consequences and probability – check this free webinar on demand:

  • Free webinar - How To Implement Risk Management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar-on-demand/

  • Gap Analysis Question

    First is important to note that ISO 27001 does not require a gap analysis to be performed.

    Considering that, you should define a scope for your gap analysis so you can understand which kind of questions you need to consider.

    For example, if your gap analysis scope is Research and Development, it does not make sense to include questions related to HR or sales processes.

    Additionally, we do not recommend using it for companies smaller than 500 employees because it would make your implementation unnecessarily complex.

    You can access the ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/

    For further information, see:
    - ISO 27001 gap analysis vs. risk assessment https://advisera.com/27001academy/knowledgebase/iso-27001-gap-analysis-vs-risk-assessment/